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DESCRIPTION 

SEMICONDUCTOR MEMORY 

Technical Field 

5 The present invention relates to a semiconductor memory 

which is capable pf executing multiple application programs. 

Background Art 

Semiconductor memories have recently attracted attention 

10 from a wide variety of business fields such as mass media, financial 
Institutions and local governments. Stored-data protection 
function of the semiconductor memories is one of the reasons they 
are so attractive. Semiconductor memories having stored-data 
protection function are, for example, secure digital (SD) memory 

15 cards. Integrated circuit (IC) cards and the like. 

FIG. 1 is a diagram showing an overview of an internal 
structure of a commonly-used IC card. As shown in FIG. 1, an IC 
card 200 includes: a ROM 203 for storing application programs; a 
FIAM 202 for temporarily storing data used for executing an 

20 application program; a CPU 201 for performing control processing 
such as various command processing according to the application 
programs stored in the ROM 203; and a rewritable EEPROM 204 for 
storing application programs downloaded from outside. 

IC cards have now replaced most of magnetic cards used as 

25 credit cards and for other purposes. IC cards have advantageous 
characteristics over magnetic cards, including larger storage 
capacity and enhanced security function for stored information such 
as personal information. 

An old-type IC card was capable of executing only one 

30 application program such as electronic money. However, with the 
increase in storage capacity and CPU processing speed, it has 
become possible to consolidate multiple application programs onto 
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one IC card and execute thenn. Such a multi-application IC card 
enables the user (card holder) to use a variety of application 
programs with only one card. 

The IC cards of this type which are capable of storing multiple 
5 application programs and executing them are hereinafter referred to 
as "'multi-application IC cards." In the following description, the 
cards of this type are also referred to just as "IC cards". 

FIG. 2 Is a diagram showing a software structure of a 
conventional IC card. The IC card as software has a layer structure 
10 including: a memory area 310 which Is used by multiple application 
programs, on the bottom layer; an operating system (OS) 311 on 
the memory area 310; and the multiple application programs on the 
top layer. 

As shown in FIG. 1, an IC card 200 stores multiple application 
15 programs Including a first client EC application program (first 
C_E_APL) 301, a second client EC application program (second 
C_E_APL) 302 and a client public application program (C_P_APL) 
303. 

In the case where multiple application programs are stored on 
20 a single IC card as mentioned above, the firewall function of the OS 
311 prevents each application program from invading an area of the 
memory area 310 to be used by another application program. In 
other words, each application program has Its own memory area in 
the memory area 310 for storing data relating to itself. In a 
25 conventional IC card, multiple application programs are stored 
independently of each other, and there is no means for allowing 
Interaction between them. 

Therefore, for example, in order to duplicate personal 
information stored In one area of the memory area 310 for an 
30 electronic money application program into another area of the 
memory area 310 for another application program, the data Is 
duplicated via a server using its own application program other than 
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the IC card. 

Note that ""APL" In the diagrams and description denotes "an 
application program" and "data of an application program" denotes 
"data relating to an application program" which Is stored in a 
5 memory area exclusively for the application program. In addition, 
"duplicating data into an application program" denotes "duplicating 
data and storing the duplicated data into a memory area exclusively 
for the application program". 

FIG. 3 is a conceptual diagram showing how data is duplicated 
10 from one application program into another application program in a 
conventional IC card. Note that the IC card 200 and the EC server 
100 communicate with each other via a reader/writer 121. 

FIG. 3 shows the IC card 200 in which data A stored in the 
memory area of the first C_E_APL 321 is duplicated into the memory 
15 area of the second C_E_APL 322. 

FIG. 3 also shows the case where the EC server 100 for 
providing electronic commerce services is used for such duplication 
of the data A. 

As shown in FIG. 3, since there is the firewall 340 between the 
20 first C_E_APL 321 and the second C_E_APL 322, the data A cannot 
be duplicated inside the IC card 200. Therefore, the data A Is 
duplicated via the EC server 100. The user of the EC server 100 
determines whether to duplicate data or not and selects data to be 
duplicated. 

26 First, the user selects data to be duplicated and requests the 

EC server 100 to execute the duplication. Upon receipt of the 
user's selection and request, the control APL 109 in the EC server 
100 authenticates the reading APL 107 and the first C_E_APL 321 in 
the IC card 200, and further authenticates the writing APL 108 and 

30 the second C_E_APL 322. 

After the authentication, the control APL 109 requests the 
reading APL 107 to read out the data. The reading APL 107 reads 
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out the data A of the first C_E_APL 321 in the IC card 200 via the 
reader/writer 121. Next, the control APL 109 requests the writing 
APL 108 to write the data A. The writing APL 108 writes the data A 
Into the memory area for the second C_E_APL 322 In the IC card 200 
5 via the reader/writer 121. 

Disclosure of Invention 

As described above, in the conventional art, when data Is 
duplicated from one application program to another application 
10 program, the data to be duplicated In an IC card Is once taken 
outside the card because the OS of the IC card protects, using a 
firewall, the memory area of each application program from being 
invaded. 

In other words. In the above conventional art, the application 
15 program of the external server once reads out, from the card, the 

data and the encryption information of the data stored In the card, 

and then writes them into another memory area in the card. 

Therefore, the encryption information Is at risk of being leaked 

outside. Furthermore, not only such encryption Information but 
20 also important data such as electronic money may be In danger of 

being leaked outside and tampered by unauthorized third parties. 

This is the problem of the conventional art. 

The present invention has been conceived in order to solve 

this problem, and an object of the present invention is to provide a 
25 semiconductor memory which is capable of executing multiple 

applications and duplicating important data from one application 

program to another in security. 

In order to achieve the above object, the semiconductor 

memory of the present Invention is a semiconductor memory which 
30 Is capable of executing at least two application programs. Including: 

a first storage unit operable to store data relating to a first 

application program; a second storage unit operable to store data 
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relating to a second application program; a level identification unit 
operable to identify respective security levels of the first and second 
application programs for the data relating to the first and second 
application programs, based on a criterion for identifying a security 
5 level of an application program for data relating to the application 
program; and a duplication unit operable to duplicate the data 
stored in the first storage unit and to store the duplicated data into 
the second storage unit, without taking the data outside of the 
semiconductor memory, in the case where a relationship between 

10 the two security levels identified by the level identification unit 
meets a predetermined condition. 

It is possible that the semiconductor memory according to the 
present Invention further includes a comparison unit operable to 
determine the relationship by comparing the two security levels 

15 identified by the level identification unit, and the duplication unit is 
operable to duplicate the data stored in the first storage unit and to 
store the duplicated data into the second storage unit, in the case 
where the relationship determined by the comparison unit meets the 
predetermined condition. 

20 It is also possible that the semiconductor memory according 

the present invention further includes an obtaining unit operable to 
obtain the relationship determined by comparing the two security 
levels identified by the level identification unit, and the duplication 
unit is operable to duplicate the data stored In the first storage unit 

26 and to store the duplicated data Into the second storage unit, in the 
case where the relationship obtained by the obtaining unit meets the 
predetermined condition. 

The security level may be a value corresponding to a strength 
of encryption used by each of the application programs. 

30 The strength of the encryption may be stronger as an 

algorithm of the encryption Is more complex, or It may be stronger 
as a bit length of a key for the encryption is longer. 
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The security level may be a value corresponding to a version 
number of an application protocol used by each of the application 
programs. 

Or, the security level may a value corresponding to a version 
5 number of each of the application programs. 

As described above, the semiconductor memory of the 
present invention includes the level identification unit, which 
determines the security levels of the two application programs for 
the data relating to them based on the criterion for identifying the 
10 security level of an application program for the data relating to it. 
In other words, these two security levels are Identified based on the 
criterion common to all the application programs, so they can be 
compared with each other. 

In the case where the relationship between these two security 
15 levels meets a predetermined condition, the duplication unit 
duplicates the data relating to the first application program stored in 
the first storage unit and stores the duplicated data into the second 
storage unit which stores the data relating to the second application 
program. In other words, the data is duplicated within the 
20 semiconductor memory. Therefore, It becomes possible to 
duplicate the data from one application program to another In 
security. 

In the case where the application program as a duplication 
destination has the security function of the strength equal to or 

25 stronger than that of the application program as a duplication source, 
the data relating to the duplication source is the data which should 
be protected in security equal to or stronger than that in the current 
situation. In other words, the data is deemed to be so important. 
In this case, duplication of such important data within the 

30 semiconductor memory allows protection of the important data from 
leakage outside or tampering by unauthorized third parties. As a 
result, the user can make use of the semiconductor memory with a 
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sense of security. 

The semiconductor memory of the present Invention 
determines the relationship of the two security levels by comparing 
them. Therefore, the security levels are also not leaked from the 
5 semiconductor memory, so there is no danger that the security 
levels are known to third parties. 

The semiconductor memory of the present Invention obtains 
the relationship between the two security levels determined by 
comparing them. Therefore, the semiconductor memory does not 

10 need to include a constituent element for comparing the security 
levels, which gives a simpler structure. 

The semiconductor memory of the present invention uses, as 
a security level, a value corresponding to the strength of encryption 
of each application program. The strength of the encryption is 

15 stronger as the algorithm of the encryption is more complex, or as 
the bit length of the encryption key is longer. Therefore, it becomes 
possible to determine the value of the security level so high as to 
make it difficult for third parties to decrypt the data. 

The semiconductor memory of the present invention uses, as 

20 a security level, a value corresponding to the version number of the 
application protocol used by each application program. Therefore, 
It becomes possible to determine the value of the security level 
higher as the security function of the application protocol Is 
improved and the version of the application protocol Is enhanced. 

25 The semiconductor memory of the present invention uses, as 

a security level, a value corresponding to the version number of 
each application program. Therefore, it becomes possible to 
determine the value of the security level higher as the security 
function of the application program is improved and the version of 

30 the application program is enhanced. 

As described above, the strength of encryption, the version of 
the protocol and the like can be used as the information for 
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identifying tine security level, so It becomes possible to identify the 
security level according to the current conditions in which the 
semiconductor memory of the present invention is used. 

In sum, the present invention provides a semiconductor 
5 memory which is capable of executing multiple application programs 
and duplicating important data from one application program to 
another In security. 

Note that the present invention can also be embodied as a 
method including, as steps, the characteristic units Included in the 
10 semiconductor memory of the present invention, as a program 
causing a computer to execute those steps, as a storage medium 
such as a CD-ROI^ on which the program is stored, or as an 
integrated circuit. It is needless to say that the program can be 
distributed via a transmission medium such as a communication 
15 network. 

As further information about technical background to this 
application, the disclosure of Japanese Patent Application No. 
2004-114330 filed on April 8, 2004 including specification, drawings 
and claims is incorporated herein by reference in its entirety. 

20 

Brief Description of Drawings 

These and other objects, advantages and features of the 
invention will become apparent from the following description 
thereof taken in conjunction with the accompanying drawings that 
25 Illustrate specific embodiments of the Invention. In the Drawings: 

FIG. 1 is a diagram showing an overview of an internal 
structure of a commonly-used IC card; 

FIG. 2 is a diagram showing a software structure of an IC 

card; 

30 FIG. 3 is a conceptual diagram showing how data Is duplicated 

from one application program to another in a conventional IC card; 
FIG. 4 is a diagram showing an environment In which an IC 
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card is used; 

FIG. 5 is a diagram showing an overview of a iiardware 
configuration in wliich an IC card in a first embodiment 
communicates witli a public service server under the envlronnrient 
5 shown in FIG. 4; 

FIG. 6 is a conceptual diagram showing how data of a library 
APL is duplicated as data of a public pool APL; 

FIG. 7 is a functional block diagram showing functional 
software structures of the IC card and the public service server In 
10 the first embodiment; 

FIG. 8 Is a diagram showing one example of a data structure 
of a security level table stored in a security Information storage unit; 

FIG. 9 Is a diagram showing one example of a data structure 
of an algorithm table stored in the security information storage unit; 
15 FIG. 10 is a diagram showing one example of a data structure 

of an APL information table stored in the security information 
storage unit; 

FIG. 11 Is a diagram showing one example of attribute 
Information stored in the APL Information table; 
20 FIG. 12 is a flowchart showing a flow of data duplication 

operations of the IC card and the public service server In the first 
embodiment; 

FIG. 13 Is a diagram showing one example of a duplication 
destination selection screen for a user to select an application 
25 program to which data is to be duplicated; 

FIG. 14 is a diagram showing one example of a duplication 
data selection screen for a user to select data to be duplicated; 

FIG. 15 is a diagram showing one example of a completion 
notification screen for notifying a user that duplication of data has 
30 completed; 

FIG. 16 is a schematic diagram showing relationship between 
security levels and data duplication routes in the first embodiment; 
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FIG. 17 Is a diagram showing one example In which a part of 
the constituent elements of the IC card in the first embodiment is 
Implemented as an Integrated circuit; 

FIG. 18 is a functional block diagram showing functional 
5 software structures of an IC card and a public service server In a 
second embodiment; 

FIG. 19 IS a flowchart showing a flow of data duplication 
operations of the IC card and the public service server in the second 
embodiment; 

10 FIG. 20 Is a diagram showing one example in which a part of 

the constituent elements of the IC card in the second embodiment is 
implemented as an integrated circuit; 

FIG. 21 is a diagram showing a data structure of a command 

APDU; 

15 FIG. 22 is a diagram showing an example of commands which 

are defined in IS07816 that Is the International standard for 

contact-type IC cards; 

FIG. 23 is a diagram showing contents of a control parameter 

PI in a SELECT command; 
20 FIG. 24 is a diagram showing a data structure of a response 

APDU; 

FIG. 25 is a diagram showing contents of a class byte (CLA) in 
a command APDU; 

FIG. 26A Is a diagram showing one example of a hardware 
25 structure of an IC card that Includes three non-volatile memories; 
and 

FIG. 26B is a diagram showing security strengths of the three 
non-volatile memories. 

30 Best Mode for Carrying Out the Invention 

A description is given below of the best mode for carrying out 
the present invention, with reference to the diagrams. An IC card 
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described In the first to third embodiments of the present Invention 
is one example of the semiconductor memory of the present 
invention, which Is a contact IC card and includes a tamper-resistant 
module (TRM). Note that it is also possible to embody the 
semiconductor memory of the present Invention as a contactless IC 
card. 

Note that as for the semiconductor memory of the present 
invention, ^'duplication of data" In the following description Includes 
''transfer of data" in which original data is deleted after duplication 
of the data. 

(First Embodiment) 

First, a description is given of an environment in which the IC 
card of the embodiments of the present invention Is used. 

FIG. 4 is a diagram showing the environment in which the IC 
card Is used. As shown In FIG. 4, the environment In which the IC 
card 200 is used includes an EC server 100, a public service server 
110, a wireless base station 120, a reader/writer 121, a portable 
device 122 and a networl< 123. 

The EC server 100 is a server for providing electronic 
commerce services (hereinafter referred to as "EC services") such 
as online payment. On the EC server 100, n types of server 
application programs, namely, a first E_APL 101, a second E_APL 
102, ... , an nth E_APL 103, operate respectively for n types of 
services. Each server application program provides the IC card 200 
of its own EC service. 

The public service server 110 is a server for providing public 
services such as applications for use of public facilities. On the 
public service server 110, n types of application programs, namely, 
a first P_APL 111, a second P_ APL 112, ... , an nth P_ APL 113, 
operate respectively for n types of services. Each server 
application program provides the IC card 200 of its own public 
service. 
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The reader/writer 121 is an apparatus for reading data from 
the IC card 200 or writing data Into the IC card 200. For example, 
this reader/writer 121 is embodied as a cash dispenser in a credit 
card company. The reader/writer 121 is connected to the networl< 
5 123, which mal<es it possible for the IC card 200 to use server 
application programs stored in the EC server 100 and the public 
service server 110 via the reader/writer 121. 

The wireless base station 120 Is a device installed on the roof 
of a building or the top of a utility pole so as to exchange data with 
10 a portable device 122 by radio waves. The wireless base station 

120 is connected to the network 123, which makes it possible for the 
portable device 122 to communicate with the EC server 100 and the 
public service server 110 via the wireless base station 120. 

The portable device 122 is a mobile phone type device which 
15 is capable of communicating with the IC card 200, and has a card 
slot for inserting the IC card 200, which means that it is possible for 
the IC card 200 to use server application programs of the EC server 
100 and the public service server 110 not only via the reader/writer 

121 but also via the portable device 122. 

20 Since browser software is installed on the portable device 122, 

the user can access the data in the IC card 200 via the user interface 

of this browser software. 

Note that the operations of the IC card 200, the EC server 100 

and the public service server 110 are unchanged when the IC card 
25 2 00 communicates with the EC server 100 or the public service 

server 110 either via the reader/writer 121 or via the portable 

device 122. 

FIG. 5 is a diagram showing an overview of a hardware 
configuration in which the IC card 200 communicates with the public 
30 service server 110 under the environment shown in FIG. 4. 

As shown in FIG. 5, the IC card 200 stores a library APL 301 
and a public pool APL 302 which are the application programs for use 
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of the public service server 110. 

Tliese application programs are downloaded from tlie public 
service server 110 and stored in the IC card 200. 

The library APL 301 is an application program for borrowing 
5 books from a library, and is capable of checking the records of a 
user's borrowing books through the communication with the public 
service server 110. The user's personal data A such as his name is 
stored In a memory area exclusively for the library APL 301. 

The public pool APL 302 is an application program for entering 
10 a facility having a public swimming pool In Itself, and Is capable of 
checking the records of the user's entries Into the facility through 
the communication with the public service iserver 110. Since the 
public pool APL 302 has just been downloaded, the user's personal 
data has not yet been stored in a memory area exclusively for the 
15 public pool APL 302. 

When the user inserts the IC card 200 into the card slot 121a 
on the reader/writer 121 mounted on a personal computer 
(hereinafter referred to as a "PC"), It becomes possible to establish 
communication between the IC card 200 and the public service 
20 server 110. 

The user can view, on the display monitor 130 connected to 
the PC, the Information delivered from the public service server 110 
and the data stored in the IC card 200. The user can also give an 
instruction to the public service server 110 and the IC card 200 by 
25 operating a keyboard or a mouse equipped to the PC. 

FIG. 6 is a conceptual diagram showing how the data A for the 
library APL 301 is duplicated as data of the public pool APL 302. A 
brief outline is given, with reference to FIG. 6, of how the data in the 
IC card 200 of the first embodiment Is duplicated. 
30 The IC card 200 in the first embodiment of the present 

Invention holds the security level of each application program stored 
in the IC card 200. A security level denotes security strength of 
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each application program for tine data relating to tlie application 
program itself. Tiie security level of eacii application program is 
identified based on the same criterion. The public service server 
110 has a function of comparing the security levels. Security levels 
5 are described later with reference to FIG. 8. 

When the security level of the public pool APL 302 as a 
duplication destination Is equal to or higher than the security level of 
the library APL 301 as a duplication source as a result of the 
comparison of their security levels by the public service server 110, 

10 the OS of the IC card 200 temporarily or partially disables the 
firewall 340 between these application programs. As a result, the 
data A is duplicated within the IC card 200, as shown in FIG. 6. 

If the security strength of an application program as a 
duplication destination is equal to or stronger than the security 

15 strength of an application program as a duplication source when 
data is duplicated, it means that the data should be protected more 
securely than ever at the duplication destination which needs that 
data. In other words, the data is considered to be important. 

Therefore, the data A is duplicated inside the IC card 200 

20 without being taken outside of the IC card 200. In other words, the 
data Is duplicated without being read outside of the IC card 200, that 
is, not through an external device connected to the IC card 200. As 
a result. It becomes possible to duplicate the important data A while 
ensuring the security of that data. 

25 Note that in the case where the security strength of the public 

pool APL 302 as the duplication destination of the data A is weaker 
than the security strength of the library APL 301 as the destination 
source, the firewall 340 is not disabled temporarily or partially and 
the data A is duplicated via the public service server 110. To be 

30 more specific, upon receiving a request from the control APL 117 
included in the public service server 110, the reading APL 115 reads 
out the data A via the reader/writer 121. The readout data A is 
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written, via the reader/writer 121, Into a memory area exclusively 
for the public pool APL 302 in the IC card 200 by the operation of the 
writing APL 116. 

The operations of the IC card 200 and the public service 
5 server 110 during the above-mentioned duplication of data are 
described In detail later with reference to FIGS. 12 to 15. 

Next, a description Is given of the structures of the IC card 
200 and the public service server 110 In the first embodiment, with 
reference to FIGS. 7 to 11. Note that the hardware structure of the 

10 IC card 200 is same as the hardware structure of a commonly-used 
IC card (See FIG. 1). 

FIG. 7 is a functional blocic diagram showing functional 
software structures of the IC card 200 and the public service server 
110 in the first embodiment. 

15 As shown in FIG. 7, the IC card 200 includes a library APL 301, 

a public pool APL 302, a security level setting unit 603, a security 
level obtaining unit 604, a security level output unit 605, a security 
level management unit 602, a security information storage unit 610, 
a data operation unit 608 and a memory area 310. 

20 Note that the reader/writer 121 which relays communication 

between the IC card 200 and the public service server 110, the 
operating systems which are Inherently contained in the IC card 200 
and the public service server 110 and the like are not shown in the 
diagrams nor described here, and only the characteristic elements in 

25 the data duplication in the first embodiment are described below. 

As mentioned above, the library APL 301 is an application 
program for borrowing bool<s in a library, and is capable of checking 
the records of the user's borrowing books through the 
communication with the public service server 110. 

30 As mentioned above, the public pool APL 302 Is an application 

program for entering a facility having a public swimming pool In 
itself, and is capable of checking the records of the user's entries 
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into the facility througii tlie communication with the public service 
server 110. 

The security level setting unit 603 is a processing unit for 
identifying the security level of a downloaded application program, 
5 as well as one example of the level identification unit in the 
semiconductor memory of the present Invention. The security level 
obtaining unit 604 is a processing unit for obtaining the security 
level stored In the APL Information table 601 in the security 
information storage unit 610. The security level output unit 605 is 

10 a processing unit for outputting the security level obtained by the 
security level obtaining unit 603 to the public service server 110. 

The security information storage unit 610 is a storage area in 
which the security level table 600, the algorithm table 609 and the 
APL information table 601 are stored. 

15 The security level table 600 is a table for identifying the 

security level of each application program based on the encryption 
algorithm used by that application program. The algorithm table 
609 is a table for Identifying the encryption algorithm used in each 
application program. The APL information table 601 is a table in 

20 which attribute Information of each application program is stored. 
The contents of each table are described later with reference to FIGS. 
8 to 11. 

The security level management unit 602 is a processing unit 
for inputting and outputting information stored In the security 

25 information storage unit 610. 

The memory area 310 is a storage area for storing data 
relating to each application program. It includes a memory area 
331 exclusively for the library APL 301 and a memory area 332 
exclusively for the public pool APL 302. The memory area 331 is 

30 one example of the first storage unit in the semiconductor memory 
of the present invention, while the memory area 332 is one example 
of the second storage unit in the semiconductor memory of the 
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present Invention. The data A is stored in the mennory area 331. 

The data operation unit 608 is a processing unit for 
duplicating data stored in the memory area 310, as well as one 
example of the duplication unit in the semiconductor memory of the 
present Invention. 

As mentioned above, the public service server 110 is a server 
for providing public services such as applications for use of public 
facilities, and includes the control unit 105 and the comparison unit 
106. 

The control unit 105 is a processing unit for exchanging data 
with the IC card 200 and controlling the comparison unit 106. i^ore 
specifically, the control unit 105 is a processing unit for fulfilling the 
functions of the reading APL 115 and the writing APL 116 which are 
server application programs for reading and writing data as shown In 
FIG. 6, and the control APL 117. The comparison unit 106 Is a 
processing unit for comparing two security levels transmitted from 
the IC card 200 so as to determine the relationship between them. 
For example, the comparison unit 106 determines the relationship 
between the security levels of the public pool APL 302 and the library 
APL 301 that the security level of the former Is higher than the 
security level of the latter. 

As described above, the IC card 200 In the first embodiment 
of the present Invention Includes the security level table 600 in order 
to Identify the security level of each application program. This 
security level table 600 Is applied commonly to two or more 
application programs. In other words, since the security levels of 
these application programs are identified based on the common 
criterion, the security levels of the application programs can be 
compared with each other. 

FIG. 8 Is a diagram showing one example of a data structure 
of the security level table 600 stored In the security Information 
storage unit 610. 
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In the security level table 600, the encryption algorithm used 
for each application program and the value indicating the strength of 
the encryption algorithm are shown in association with each other. 

As shown in FIG. 8, if the encryption algorithm is Triple Data 
5 Encryption Standard (Triple-DES), the security level is '"strong" and 
the value is '"OSh". If the encryption algorithm is DBS, the security 
level Is ""medium" and the value is "02h". If the encryption 
algorithm is Advanced Encryption Standard (AES), the security level 
is "weak" and the value Is ""Olh". Furthermore, If the data Is not 
10 encrypted, the security level Is ""None" and the value is "*00h". 

FIG. 9 is a diagram showing one example of a data structure 
of the algorithm table 609 stored in the security Information storage 
unit 610. 

In the algorithm table 609, the encryption algorithm used for 
15 each application program and the number indicating the encryption 
algorithm (hereinafter referred to as an ""algorithm number") are 
defined. 

For example, as shown in FIG. 9, if the algorithm number is 0, 
the encryption algorithm is determined to be Triple-DES. 

20 FIG. 10 is a diagram showing one example of a data structure 

of the APL information table 601 stored In the security information 
storage unit 610. The APL information table 601 is a table in which 
the attribute information of each application program,, such as the 
library APL 301, Is stored. Note that ""Electronic money APL 

26 information" in the APL information table 601 is the attribute 
Information of an electronic money APL which Is not shown In FIGS. 
5 to 7. The electronic money APL is an application program for the 
user to use electronic money. 

As shown in FIG. 10, the attribute information of each 

30 application program in the APL information table 601 includes the 
following Items: an application ID for identifying an application 
program; a security level that Is a value defined in the security level 
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table 600; encryption infornnatlon including a bit length of an 
encryption key and a value indicating an encryption algorithm; key 
Information that is encryption key data itself; and application 
protocol Information that is a version of an application protocol 
(hereinafter referred to as a "protocol version")- The data length of 
each attribute Information is also defined in this table, and for 
example, the data length of the application ID is 2 bytes. 

FIG. 11 Is a diagram showing one example of the attribute 
information stored in the APL Information table 601. 

As shown In FIG. 11, the APL Information table 601 stores the 
attribute information of each application program. For example, as 
for the library APL 301, the application ID Is 3412h and the security 
level Is Olh ("weak"). This security level is identified and assigned 
by the security level setting unit 603 at the time when each 
application program is downloaded. 

More specifically, when each application program is 
downloaded to the IC card 200, the security level setting unit 603 
extracts the attribute information of each application program. The 
extracted attribute information is transmitted to the security level 
management unit 602. 

The security level management unit 602 writes all the 
attribute Information but the security level Into the APL Information 
table 601. It also Identifies the encryption algorithm based on the 
algorithm number Included In the attribute Information and the 
above-mentioned algorithm table 609. 

The security level setting unit 603 Identifies the value 
indicating the security level based on the encryption algorithm 
identified by the security level management unit 602 and the 
above-mentioned security level table 600. The security level 
management unit 602 writes the identified value Into the APL 
information table 601. 

In sum, the security level of each downloaded application 
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program fs identified based on the security level table 600 that is the 
criteria common to all the application programs. 

Note that the field of the encryption Information represents, 
from the left, the bit length of the encryption key and the algorithm 
number. For example, as for the library APL 301, the bit length of 
the encryption key is 80h and the algorithm number is 02h, which 
means that the bit length of the encryption key^is 128 bits (16 bytes) 
and the algorithm number Is 2. 

The encryption algorithm corresponding to the algorithm 
number 2 is AES (See FIG. 9), and the value corresponding to AES is 
Olh (See FIG. 8). Therefore, the security level of the library APL 
301 Is Olh (^weak"). 

This table also shows that the field of the key information 
stores the encryption key of 128 bits (16 bytes), and the protocol 
version is Olh. 

Similarly, as for the public pool APL 302, the application ID is 
7856h and the security level is 03h ("strong"). The bit length of the 
encryption key is COh and the algorithm number is OOh, which 
means that the bit length of the encryption key is 192 bits (24 bytes) 
and the algorithm number is 0. This table also shows that the field 
of the key Information stores the encryption key of 192 bits (24 
bytes), and the protocol version Is 05h. 

As described above, the security level of the library APL 301 Is 
Olh Cv^eak"), while the security level of the public pool APL 302 is 
03h ('"strong"). In other words, it Is clear that the security level of 
the public pool APL 302 is higher than that of the library APL 301, 
and therefore has a stronger security function than that of the 
library APL 301. 

Next, a description is given of the data duplication operations 
of the IC card 200 and the public service server 110, with reference 
to FIGS. 12 to 15. 

FIG. 12 Is a flowchart showing a flow of data duplication 
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operations of the IC card 200 and the public service server 110 in 
the first embodiment. 

Note that the following description Is made on the assumption 
that the data A stored in the memory area 331 exclusively for the 
library APL 301 is duplicated into the memory area 332 exclusively 
for the public pool APL 302. It is also assumed that the user uses 
the IC card 200 In the hardware configuration as shown in FIG. 5. 

The data is sent and received between the IC card 200 and the 
public service server 110 using a predetermined protocol. 

First, the user Inserts the IC card 200 into the card slot 121a 
of the reader/writer 121 and does a predetermined action on the PC 
equipped with the reader/writer 121. According to this action, the 
control unit 105 of the public service server 110 authenticates the 
library APL 301 that is the first application program having the data 
A (S901). After the authentication, a screen shown in FIG. 13 is 
displayed on the display panel 130 connected to the PC. 

FIG. 13 is a diagram showing one example of a duplication 
destination selection screen for the user to select an application 
program to which data Is to be duplicated. As shown in FIG. 13, a 
duplication source data display field 131 and a duplication 
destination data display field 132 are displayed on the duplication 
destination selection screen. Note that the screen displayed on the 
display panel 130 is generated by the control unit 105, and the data 
displayed thereon Is outputted from the IC card 200. 

In the duplication source data display field 131, the name and 
address which are the data relating to the library APL 301 are 
displayed under the title of ''Library card" In the form in which a part 
of the data is l<ept out of view. In the duplication destination data 
display field 132, the selection button 133 for selecting the 
application program as the duplication destination is displayed. 

When the user clicks the selection button 133 indicating 
"Public pool card", the control unit 105 of the public service server 
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110 authenticates the public pool APL 302 that Is the second 
application program as the data duplication destination (S902). 

After the authentication of the public pool APL 302, a screen 
shown In FIG. 14 is displayed on the display panel 130. 

FIG. 14 is a diagram showing one example of the duplication 
data selection screen for the user to select data to be duplicated. 

FIG. 14 shows the state in which the user has marked the 
check box 134 for the name in the duplication source data display 
field 131. An arrow button 135 Is displayed In the center of the 
screen. 

As shown In FIG. 14, when the arrow button 135 is clicked In 
the state in which the check box 134 has been marked, the control 
unit 105 accepts that the name data has been selected as the data 
to be duplicated. In other words, the control unit 105 accepts that 
the data A shown in FIG. 5 and FIG. 7 has bee selected (S903). 

The control unit 105 requests the IC card 200 for the security 
levels of the library APL 301 and the public pool APL 302. The 
security level obtaining unit 604 of the IC card 200 obtains, via the 
security level management unit 602, the security levels of the 
library APL 301 and the public pool APL 302, based on their 
application IDs (S904). 

The security level output unit 605 outputs the obtained two 
security levels as a response to the request from the public service 
server 110 (S905). 

The comparison unit 106 of the EC server 100 compares these 
two security level Information outputted from the IC card 200. 
Here, the security level of the library APL 301 is "'Olh", while the 
security level of the public pool APL 302 Is "03h" (See FIG. 11). 

Therefore, the comparison unit 106 determines the 
relationship between the public pool APL 302 as a data duplication 
destination and the library APL 301 as a data duplication source that 
the security level of the former Is higher than the security level of 
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the latter (Y in S906). 

The information indicating this determined relationship is 
transmitted to the IC card 200. The data operation unit 608 of the 
IC card 200 executes, based on that information, the processing of 
5 duplicating the data A stored in the memory area 331 exclusively for 
the library APL 301 into the memory area 332 exclusively for the 
public pool APL 302 (S907). 

More specifically, the OS of the IC card 200 disables the 
firewall 340 between the application programs temporarily or 
10 partially based on the information transmitted from the public 
service server 110. As a result. It becomes possible for the data 
operation unit 608 to duplicate the data A inside the IC card 200. 

Here, in the case where the security level of the application 
program as a duplication destination is lower than the security level 
15 of the application program as a duplication source (N in S906), the 
firewall 340 is not disabled temporarily or partially, and the 
duplication of the data A is executed via the public service server 
110 (S909). 

After the duplication, a screen as shown In FIG. 15 notifying 
20 the user that the data duplication has completed is displayed on the 
display panel 130. 

FIG. 15 is a diagram showing one example of a completion 
notification screen for notifying the user that duplication of data has 
completed. When the user wants to duplicate another data such as 
25 address data continuously following the duplication of the name 
data (Y in S908), he/she can mark the check box of the address on 
the completion notification screen shown in FIG. 15 so as to display 
the arrow button 135 as shown in FIG. 14 on the screen. When the 
user clicks the arrow button 135, the public service server 110 
30 accepts the selection (S903) and performs the operation for 
duplicating the data. 

The IC card 200 and the public service server 110 repeat the 
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above operations until the data duplication is terminated (N in S908) 
by the user's predetermined action. 

As described above, the IC card 200 in the first embodiment 
of the present invention Identifies the security level of each 
application program using the security level table that is the criteria 
common to all the application programs. 

Therefore, It becomes possible to compare the security 
strengths of two different application programs based on their 
respective security levels Identified under the same criterion. The 
comparison unit 106 of the public service server 110 which 
communicates with the IC card 200 performs this comparison. 

If it Is determined, as a result of this comparison, that the 
application program as the duplication destination which requires 
data duplication has a security function equal to or stronger than 
that of the duplication source, the data is considered to be important. 
Therefore, the public service server 110 requests the IC card 200 to 
duplicate such important data inside the IC card 200 itself. 

FIG. 16 is a schematic diagram showing the relationship 
between the security levels and data duplication routes in the first 
embodiment. The first APL is an application program as a 
duplication source, while the second APL Is an application program 
as a duplication destination. The first APL and the second APL are 
stored in the IC card 200, and the memory areas exclusively for 
respective application programs are protected from each other by a 
firewall. In this diagram, al, a2, bl and b2 represent security 
levels. 

For example, when the security level of the first APL Is al and 
the security level of the second APL is a2, the security level of the 
duplication destination is higher than that of the duplication source, 
which means that the data to be duplicated is considered to be 
important. Therefore, the firewall In the IC card 200 Is temporarily 
or partially disabled for data duplication inside the IC card. 
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If the security level of the first APL is bl and the security level 
of the second APL is b2, the security level of the duplication 
destination is lower than that of the duplication source, which means 
that the data to be duplicated is not considered to be important. 
Therefore, the firewall is not disabled temporarily or partially for 
data duplication Inside the IC card, and the data is duplicated via the 
server. 

As mentioned above, important data is duplicated inside the 
IC card 200. Since the data Is not taken outside of the IC card 200, 
there Is no risk that the data Is vulnerable to leakage or tampering. 
As a result. It becomes possible to duplicate important data from one 
application program to another in security. 

Note that in the first embodiment, the description of the IC 
card 200 and the public service server 110 is given taking, as an 
example, the case where the IC card 200 communicates with the 
public service server 110. However, the IC card 200 does not 
always communicate with the public service server 110, and may 
communicate with the EC server 100 shown in FIG. 4 or any other 
server. 

In other words, it is not limited to the public service server 
110 that the IC card 200 communicates with. The IC card 200 can 
communicate with any server that has a function of comparing the 
security levels and a function of authenticating the application 
programs stored in the IC card 200. 

As for the flowchart shown in FIG. 12, the description is given 
on the assumption that the duplication is executed via the public 
service server 110 (S909) in the case where the security level of the 
application program as the duplication destination is lower than the 
security level of the application program as the duplication source 
(N in S906). However, in the case where the data Is duplicated via 
the public service server 110, It is also possible to duplicate the data 
with the user's consent or to prohibit the duplication. 
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In doing so, it also becomes possible to maintain the 
confidentiality of the data which Is not considered to be Important. 
In such a structure. It is still possible to duplicate important data in 
security from one application program to another inside the IC card 
200. 

Furthermore, the IC card 200 Is not limited to a contact IC 
card, and may be a contactless IC card. Even if the IC card 200 is 
a contactless IC card, it Is possible to duplicate important data in 
security without any effect on the processing such as Identification 
of the security level that Is the feature of the present invention. 

The above description is made on the assumption that the 
data duplication route is determined based on the result of the 
comparison between two security levels by the comparison unit 106 
of the public service server 110, but the present invention is not 
limited to such route determination. For example. It is also 
possible to store the comparison result Into a predetermined storage 
area and then determine, using the stored comparison result, the 
route of data duplication to be performed following the comparison. 

In doing so, there Is no need to compare the security levels In 
every receipt of a request for data duplication from the IC card 200, 
which allows reduction of processing time. 

The above description Is made on the assumption that the 
hardware structure of the IC card 200 is same as the hardware 
structure of a commonly-used IC card as shown In FIG. 1. However, 
it may be another hardware structure, and for example, the EEPROM 
204 may be replaced with FeRAM, or any other non-volatile memory. 

Furthermore, the security level management unit 602, the 
security level obtaining unit 604, the security level output unit 605 
and the data operation unit 608 included in the IC card 200 are 
embodied as computer programs. Some of the programs are stored 
In the ROM 203 and executed, and others are downloaded from 
outside, stored In the EEPROM 204 that is a non-volatile memory 
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and then executed. The library APL 301 and the public pooi APL 302 
are stored in the ROM 203 or the EEPROM 204. The security 
information storage unit 610 and the nnemory area 310 are 
embodied as separate areas in the EEPROI^ 204. 

Some functional blocks of the IC card 200 shown In FIG. 7 can 
be embodied as an LSI that Is a type of an Integrated circuit In 
combination with hardware resources such as CPU, RAM, ROM and 
non-volatile memories. These blocks can be Integrated separately, 
or a part or all of them can be Integrated into a single chip. 

FIG. 17 is a diagram showing one example In which the 
functional blocks of the IC card 200 In the first embodiment Is 
Implemented In Integrated circuit form. An LSI 2000 is one 
example of an integrated circuit, and a range enclosed with a dotted 
line is one example of a range of functional blocks to be 
Implemented as an integrated circuit. The LSI here can be called an 
IC, a system LSI, a super LSI or an ultra LSI depending on their 
degrees of integration. 

An Integrated circuit used for such an embodiment is not 
limited to an LSI, and It may be embodied as a dedicated circuit or 
a general-purpose processor. It Is also possible to use a field 
programmable gate array (FPGA) which can be programmed In the 
field after manufacturing an LSI, or a reconfigurable processor In 
which connection and setting of circuit cells Inside an LSI can 
reconfigured. 

Furthermore, If a new technology for Integrated circuits 
appears and replaces LSIs with the progress of semiconductor 
technologies or other technologies derived from such semiconductor 
technologies, it Is, of course, possible to use the new technology to 
implement the functional blocks in the form of Integrated circuits. 
For example, biotechnology can be applied to the implementation of 
the functional blocks in the form of integrated circuits. 

(Second Embodiment) 
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In the above first embodiment, the comparison unit 106 of the 
public service server that is a communication partner of the IC card 
200 compares the security levels. However, the present invention 
Is not limited to such a configuration, and it can also be assumed 
that the security levels are compared inside the IC card 200. 

So, in the second embodiment, a description is given of a 
configuration in which the comparison unit 606 included Inside the 
IC card 200 compares the security levels. 

Note that in the second embodiment, the environment In 
which the IC card 200 is used is same as the environment shown in 
FIG. 4, to which the description of the first embodiment refers. In 
addition. It is assumed that the communication partner of the IC 
card 200 is the public service server 110, as Is the case with the first 
embodiment, and the overview of the hardware configuration in 
such environment is same as that shown in FIG. 5. 

First, a description is given of the structures of the IC card 
200 and the public service server 110 in the second embodiment, 
with reference to FIG. 18. 

FIG. 18 Is a functional block diagram showing the functional 
software structures of the IC card 200 and the public service server 
110 In the second embodiment. 

As shown in FIG. 18, the IC card 200 In the second 
embodiment has a structure In which the comparison unit 606 is 
added to the structure of the IC card 200 In the first embodiment 
shown In FIG. 7. The public service server 110 In the second 
embodiment has a structure in which the comparison unit 106 is 
deleted from the structure of the public service server 110 in the 
first embodiment shown in FIG. 7. 

Note that the data operation unit 608 in the IC card 200 in the 
second embodiment is one example of a processing unit for 
embodying the following two functions of the duplication unit and 
the obtaining unit respectively in the semiconductor memory of the 
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present invention: a function of duplicating data; and a function of 
obtaining the relationship between two security levels. 

The comparison unit 606 Is a processing unit for comparing 
two security levels transmitted from the security level output unit 
605 and determining the relationship between the two security 
levels. 

Each constituent element except for the comparison unit 606 
of the IC card 200 and the public service server 110 In the second 
embodiment performs the same processing as the elements of the 
IC card 200 and the public service server 110 in the first 
embodiment. 

However, the security levels are transmitted from the security 
level output unit 605 of the IC card 200 to the public service server 
110 in the first embodiment, while they are transmitted from the 
security level output unit 605 of the IC card 200 to the comparison 
unit 606 of the IC card 200 in the second embodiment. 

The comparison unit 606 in the IC card 200 receives the 
security level of the library APL 301 and the security level of the 
public pool APL 302 outputted from the security level output unit 
605, compares these two security levels, and determines the 
relationship between them. 

Next, a description Is given below of the operations of the IC 
card 200 and the public service server 110 In the second 
embodiment, with reference to FIG. 19. 

FIG. 19 Is a flowchart showing the flow of data duplication 
operations of the IC card 200 and the public service server 110 in 
the second embodiment. 

Note that the following description is made of the case where 
the data A that is the data of the library APL 301 is duplicated into 
the memory area 332 exclusively for the public pool APL 302, and 
focuses on the operations different from those in the first 
embodiment. 
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First, the control unit 105 of the public service server 110 
authenticates the library APL 301 that is the first application 
program having the data A and the public pool APL 302 that is the 
second application program into which the data A is to be duplicated 
(SlOOl and S1002). 

After the authentication, the control unit 105 accepts the 
selection of the data A as data to be duplicated (S1003). 

The above-mentioned operations are same as the operations 
of the IC card 200 and the public service server 110 In the first 
embodiment, but the following operations are different from those In 
the first embodiment. 

When the control unit 105 of the public service server 110 
accepts that the data A Is the data to be duplicated, it requests the 
IC card 200 to compare the security levels of the library APL 301 and 
the public pool APL 302. 

Upon receipt of the above request, the security level 
obtaining unit 604 of the IC card 200 obtains the security levels of 
the library APL 301 and the public pool APL 302 based on their 
application IDs via the security level management unit 602 (S1004). 

The security level output unit 605 receives these two security 
levels from the security level obtaining unit 604, and outputs them 
to the comparison unit 606. 

The comparison unit 606 compares the two security level 
Information outputted from the security level output unit 605. 
Here, the security level of the library APL 301 is ''Olh", while the 
security level of the public pool APL 302 Is ''03h" (See FIG. 11). 

In other words, the comparison unit 606 determines the 
relationship between the security levels of the public pool APL 302 
as a data duplication destination and the library APL 301 as a data 
duplication source that the security level of the former Is higher than 
that of the latter (Y In S1005). 

Based on this determined relationship, the OS of the IC card 
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200 temporarily or partially disables the firewall 340 In order to 
duplicate the data A. The data operation unit 608 performs the 
processing of duplicating the data A stored in the memory area 331 
exclusively for the library APL 301 Into the memory area 332 
exclusively for the public pool APL 302 (S1006). 

Note that In the case where the security level of the 
application program as a duplication destination is lower than the 
security level of the application program as a duplication source (N 
in S1005), the firewall 340 Is not disabled temporarily or partially 
and the duplication is performed via the public service server 110 
(S1007), as is the case with the first embodiment. 

In the case where another data is duplicated following the 
duplication of the data A (Y in S1008), the processing flow goes back 
to the acceptance of the selection (S1003). 

The IC card 200 and the public service server 110 repeat the 
above operations until the data duplication is terminated by the 
user's predetermined action (N In S1008). 

As described above, the flow of operations of the IC card 200 
and the public service server 110 in the second embodiment Is 
basically same as that In the first embodiment. However, in the 
second embodiment, the Inclusion of the comparison unit 606 in the 
IC card 200 allows comparison of two security levels without taking 
these security levels outside of the IC card 200 (S1005). In other 
words, it Is possible to compare the security levels without reading 
them outside of the IC card 200, that Is, not through an external 
device connected to the IC card 200. 

In other words, not only the important data but also the 
security levels of the application programs are not taken outside of 
the IC card 200, so the information stored in the IC card 200 can be 
protected in more security. 

Note that the security strengths of the application programs 
are compared using their security levels Identified based on the 
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encryption algorithms not only in the first embodiment but also in 
the second embodiment. However, the security levels identified 
based on the information other than the encryption algorithms may 
be used for such comparison. 
6 More specifically, in the first embodiment, the security 

strength of each application program is determined to be a value of 
a security level corresponding to one of "strong", "medium", "weak" 
and "none" based on the encryption algorithm used for the 
application program. However, it is also possible to use, as a 

10 security level, a bit length of an encryption key, encryption key data 
or the like, which Is one of the conditions for encrypting the data of 
each application program. 

In other words. In the second embodiment, not only the data 
to be duplicated but also the security levels of the application 

15 programs are not taken outside of the IC card 200, so there is no risk 
of leakage of them even if the encryption conditions are used as 
security levels. Therefore, it becomes possible to compare the 
security strengths of different application programs using the 
security levels Identified by the above encryption conditions. 

20 Furthermore, It is also possible to compare the security 

strengths of different application programs using two different 
scales, namely, the four security levels "strong", "medium", "weak" 
and "npne" used In the first embodiment, and the encryption 
conditions used in the second embodiment. 

25 For example, in the case where the security levels of two 

application programs are same in terms of the above four levels, it 
is possible to determine that the security strength of the application 
program with a longer bit length of its encryption key is stronger. 
In doing so, the security levels can be compared on a finer 

30 scale in the second embodiment, while they are compared just 
according to the four levels In the first embodiment. 

The security level management unit 602, the security level 
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obtaining unit 604, the security level output unit 605, the 
comparison unit 606 and the data operation unit 608 included in the 
IC card 200 in the second embodiment are embodied as computer 
programs. Some of these programs are stored in a ROM In the IC 
card and executed, others are downloaded from outside, stored In a 
non-volatile memory and then executed. The library APL 301 and 
the public pool APL 302 are stored In the ROM 203 or the EEPROM 
204. The security Information storage unit 610 and the memory 
area 310 are respectively embodied as separate areas In the 
EEPROM 204. 

The functional blocks in the IC card 200 shown In FIG. 18 can 
be embodied as an LSI that Is a type of an Integrated circuit in 
combination with hardware resources such as CPU, RAM, ROM and 
other non-volatile memories. These blocks can be Integrated 
separately, or a part or all of them can be integrated Into a single 
chip. 

FIG. 20 Is a diagram showing one example in which a part of 
the IC card 200 In the second embodiment Is implemented In 
integrated circuit form. The LSI 2000 is one example of an 
integrated circuit, and a range enclosed with a dotted line is one 
example of a range of functional blocks to be Implemented into an 
Integrated circuit. The LSI here can be called an IC, a system LSI, 
a super LSI or an ultra LSI depending on their degrees of 
Integration. 

An Integrated circuit used for such an embodiment is not 
limited to an LSI, and it may be embodied as a dedicated circuit or 
a general-purpose processor. It is also possible to use a field 
programmable gate array (FPGA) which can be programmed In the 
field after manufacturing an LSI, or a reconfigurable processor In 
which connection and setting of circuit cells inside an LSI can 
reconfigured. 

Furthermore, If a new technology for Integrated circuits 
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appears and replaces Implementation of LSI with the progress of 
semiconductor technologies or other technologies derived from such 
semiconductor technologies, it is, of course, possible to use the new 
technology to implement the functional blocks in the form of 
integrated circuits. For example, biotechnology can be applied to 
the Implementation of the functional blocks in the form of Integrated 
circuits. 

(Third Embodiment) 

In the second embodiment, the comparison unit 606 In the IC 
card 200 compares the security levels. Therefore, the description 
shows that the encryption conditions can be used as the information 
for identifying the security levels because the security levels are not 
taken outside of the IC card 200. 

However, the Information for identifying the security levels 
can be the information other than the encryption algorithms shown 
in the first embodiment and the encryption conditions shown in the 
second embodiment. For example, a protocol version that is a 
version of an application protocol can be used. 

So, a description is given, as the third embodiment, of the use 
of such a protocol version as a security level. 

Conventionally, data is sent and received between an IC card 
and an external device using application protocol data unlt.(APDU) 
commands defined In the IS07816 that is the International standard 
for contact-type IC cards. In the above first and second 
embodiments, data Is sent and received, using the APDU commands, 
between the IC card 200 and the EC serverlOO, the public service 
server 110 or the reader/writer 121. 

There are the following types of APDU commands: a command 
APDU used for transmitting data from a host device to an IC card; 
and a response APDU used for transmitting data from an IC card to 
a host device. 

So, In the third embodiment, a description is given of the case 
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where an APDU command containing version numbers of application 
protocols is transmitted to the public service server 110. In other 
words, the following description is made on the assumption that the 
protocol versions are used as the security levels in the IC card 200 
and the public service server 110 of the first embodiment. 

FIG. 21 Is a diagram showing a data structure of a command 
APDU. As shown In FIG. 21, a command APDU has a mandatory 
header and a body to follow the header conditionally. The 
mandatory header includes control parameters PI and P2 of 1 byte 
each. 

The public service server 110 can transmit the command 
APDU containing, in the data area of these control parameters (PI 
and P2), a request for creating a response APDU containing the 
version numbers of the application protocols, for example. 

In general, a version number of an application protocol is 
incremented as Its function is enhanced. For example, in the case 
where the security function is enhanced or improved, the version 
number is incremented. In other words, it can be said that the 
security level of the application protocol with a larger version 
number is higher as a result of the comparison of the version 
numbers of application protocols. 

As shown In FIG. 11, the version number of the application 
protocol of each application program Is stored In the APL Information 
table 601. Therefore, the IC card 200 can create the response 
APDU containing the version numbers of the application protocols of 
the library APL 301 and the public pool APL 302 and transmit it to the 
public service server 110, for example. As a result, the comparison 
unit 106 (See FIG. 7) of the public service server 110 can compare 
the version numbers. 

A description is given below, with reference to FIGS. 22 to 24, 
a method for transmitting version numbers of application protocols 
using a response APDU. 
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FIG. 22 is a diagram showing an example of commands wliicli 
are defined in the IS07816 that Is the international standard for 
contact-type IC cards. FIG. 23 is a diagram showing contents of a 
control parameter PI in a SELECT command. 

For example. In the case of a SELECT command, there are 
unspecified values in PI, as shown In FIG. 23. It is possible to make 
a request to the IC card 200 using one of these unspecified values. 
For example, the public service server 110 transmits a SELECT 
command having a value "1" of b8 (values of other bits than b8 are 
any of the values indicated in FIG. 23) to the IC card 200. In doing 
so. It becomes possible to request the IC card 200 to create a 
response APDU containing the version numbers of the application 
protocols. 

When the IC card 200 receives the SELECT command. It can 
create the response APDiJ containing, in its data section shown in 
FIG. 24, the version numbers of the application protocols and 
transmit it. 

The SELECT command is described here as an example, but 
the present invention is not limited to it. It is possible to request 
the IC card 200 to create a response APDU containing the version 
numbers of application protocols If a command APDU has unused 
bits. 

Furthermore, it is also possible for the public service server 
110 to create its own command APDU for causing the IC card 200 to 
transmit the version numbers of application protocols. 

FIG. 25 Is a diagram showing contents of a class byte (CI_A) In 
a command APDU. As shown in FIG. 25, if b5 to bS in CLA are 0, it 
means that the command APDU is a common command which is 
compliant with IS07816-4. If b8 in CLA is 1, it means that the 
command APDU is a unique command of the public service server 
110. In other words, by setting b8 in CLA to be 1, it becomes 
possible to create a unique command APDU for requesting the IC 
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card 200 to create a response APDU containing the version numbers 
of application protocols and transmit it. 

As described above, it is possible for the IC card 200 to create 
a response APDU containing the version numbers of application 
5 protocols and transmit it to the public service server 110. It is 
possible for the public service server 110 to compare these two 
version numbers so as to determine the relationship between the 
security levels of the two application programs. 

For example, it is assumed that the data of the library APL 301 
lb is duplicated into the public pool APL 302. Since the version 
number of the library APL 301 is Olh, while the version number of 
the public pool APL302 is 05h (See FIG. 11), it is determined that the 
security level of the public pool APL 302 is higher. 

The IC card 200 obtains, from the public service server 110, 
15 the information indicating that the security level of the public pool 
APL 302 is higher and duplicates the data in Itself. As a result, such 
important data is duplicated inside the IC card 200. 

As described above, even if the version numbers of 
application protocols are used as security levels, it is possible to 
20 duplicate important data In security, as is the case with the first and 
second embodiments. 

IMote that In the case where the protocol version of a 
duplication destination is older than that of a duplication source, 
namely, the version number of the former is smaller than that of the 
25 latter. It is possible to Judge that the security of communication 
between them may go down, and thus disable the data duplication. 
In doing so, it becomes possible to further reduce the rlsl< of data 
leakage. 

It is not always necessary to use the version number Itself of 
30 an application protocol as a security level, and any value identified 
by the version number may be used. 

The version number of not only an application protocol but 



-37- 



wo 2005/098622 



PCT/JP2005/006805 



also an application progrann is incremented. For example, when the 
security function is enhanced or improved, the version number of 
the application program is incremented. Therefore, the version 
number of the application program itself, not the protocol version, 
may be used as a security level. 

In this case. It is possible to transmit the APDU command 
containing the version numbers of the application programs in the 
same manner as the protocol versions. Or In order to compare the 
security strengths of different application programs based on their 
version numbers, it is also possible to convert the version numbers 
into the values Indicating their security strengths based on the 
criterion common to all the application programs, and then transmit 
those values. In other words, any values identified by the version 
numbers of application programs can be used as security levels. 

In the third embodiment, the comparison unit 106 of the 
public service server 110 compares the version numbers of 
application protocols or application programs. However, the 
comparison of the version numbers may be performed Inside the IC 
card 200. 

For example. In the second embodiment. It is possible for the 
comparison unit 606 In the IC card 200 to compare the version 
numbers of application protocols using those version numbers as 
security levels. 

Regardless of whether the comparison of version numbers are 
performed inside the IC card 200 or outside the IC card 200, it is 
also possible to identify the security levels of application programs 
based on a combination of the version numbers and another 
criterion, such as information of encryption algorithms used in the 
first embodiment and encryption conditions described in the second 
embodiment, and to compare their security strengths using such 
Identified security levels. 

In doing so. It becomes possible to adopt the optimum 
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method for comparison of the security strengths of application 
programs, for example. 

In the above first to third embodiments, it is determined 
whether data is duplicated inside the IC card 200 or not by 
comparing the attribute information of application programs such as 
their encryption algorithms and protocol versions. However, It can 
be determined whether data is duplicated Inside the IC card 200 or 
not by another method. 

For example. In the case where separate non-volatile 
memories respectively have a memory area In which data to be 
duplicated is stored and a memory area In which the data is to be 
duplicated. It may be determined whether the data is duplicated 
inside the IC card 200 or not based on the security strengths of 
these two non-volatile memories. 

FIG. 26A Is a diagram showing one example of a hardware 
structure of the IC card 200 that includes three non-volatile 
memories. As shown in FIG. 26A, the IC card 200 Includes a group 
of non-volatile memories 209. The group of non-volatile memories 
209 includes an FeRAM 206 In the TRI^i area, a secure flash .207, and 
a flash memory 208 outside the TRM area. Note that a secure flash 
denotes a flash memory with Its security strength enhanced using 
the function of TRM. 

FIG. 26B Is a diagram showing the security strengths of the 
three non-volatile memories. As shown In FIG. 26B, the security 
strength of the FeRAI^I 206 inside the TRM area Is strongest, that of 
the secure flash 207 is next strongest, and that of the flash memory 
208 is weakest. 

For example, it is assumed that data to be duplicated exists in 
the secure flash 207 and it is to be duplicated into the FeRAM 206 
inside the TRM area. In this case, it Is deemed that the security 
strength of the duplication destination memory is stronger and the 
data to be duplicated is Important one. Therefore, the data is 
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duplicated inside the IC card 200, and thus such important data can 
be duplicated in security. Note that the security strength can be 
compared either inside or outside the IC card. 

Although only some exemplary embodiments of this invention 
5 have been described in detail above, those skilled in the art will 
readily appreciate that many modifications are possible In the 
exemplary embodiments without materially departing from the 
novel teachings and advantages of this invention. Accordingly, all 
such modifications are intended to be included within the scope of 
10 this invention. 

Industrial Applicability 

The semiconductor memory of the present invention can store 
two or more application programs and duplicate data from one 
15 application program to another in itself. Therefore, it is useful as 
an SD memory card, an IC card or the like which requires strong 
security function for important data. 
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